Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Trailrunner7 sends in this excerpt from Threatpost (Adobe announcement here): "Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac, and Unix users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF '/Launch' functionality social engineering attack vector that was disclosed by researcher Didier Stevens. As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file." Relatedly, Brian Krebs blogs about the downsides of Adobe's increasingly Byzantine update process.

I don't know of any company that has managed to do that though. In most cases, they are aware of the exploit at least a day before patching it. I mean, I can't imagine finding a solution, implementing it, and fully testing it in under 24 hours. I CAN imagine finding a solution, implementing it, and pushing it out, but that's dangerous.

Not so hard to do with web platforms, where "pushing it out" means changing a file or two on a server.

Of course, we've seen (here on slashdot) what happens when you try to do that too often... but most of us have probably been in a situation where we're told to shell into the box and manually edit a file "right now!!!" with a best-guess way to stop something from being a problem, even if it's only to disable certain functionality temporarily while you work out a real fix.

Yes. If you do a google search for CVE-1297 (going from memory here, the CVE number might be off (CVE's are the numbering scheme used by the Mitre organization. One of the things they do is publish details on exploits/vulnerabilities as they happen, and security people use them as a reference point)) zero day you will find some analysis that was done on a pdf found in the wild.

When I got up this morning and fired up the little netbook, I got a message saying that Adobe had an update -- but the thing wasn't even on the internet; there were no local wifi signals this morning.

I wonder if it's really the patch, or if the Adobe bug let someone in my box? I dread internet security updates, and wish that, with software I've paid for at least (not free stuff like PDF readers) they'd snail mail a CD to me.

The difference is how much warning you get. Most of the security bugs Adobe fixes are found internally (you'll never hear about those - unless it greatly affects product functionality), and even those told to them externally by 3rd party researchers they usually get a several month lead time.

Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.

Yes, I wish every exploit could just be called an exploit (sans "zero day" in front of everything) unless it's specifically 1) a vulnerability the company has chosen not to fix, or 2) a vulnerability some guy somewhere knew about but hadn't used in order to keep it valuable. It's like if we were to start calling Microsoft Office "Microsoft Office for Windows" incessantly. It's assumed, unless you're specifically on a Mac or running it in WINE or something.

If I have flash plugins installed, but not acrobat, and I did my browsing in an account without admin privileges, how vulnerable would I have been? If you can't answer, perhaps you are clueless as well?

You would have to be running pre-10.1 version of flash first. Then the exploit would have to force your system to execute code that was written for *nix. Since Windows is the majority of the market I doubt anyone has taken the time to write such code for this exploit. I think your safe.:)

Apparantly, the same vulnerability existed in both products (Flash was patched a couple of weeks ago). I'm not sure how that works - I thought this was the vulnerability inherent in the PDF spec (Foxit had a patch out the same week this was disclosed).

I think it's mostly the apathy. PDF was really great when it was new, and really was a page description format not a web portal. Far beteter than sending ps files to the printer when it took 10 mintues per page just to send the bits. Adobe pisses me off so much because they used to be genuinely innovative and useful.

Don't get fooled into thinking a non-admin account is safe. Sure, unless you're root they probably can't set up a mail server, but check out all the files in your Documents directory. See anything the has financial information? Maybe a password list (encrypted or not)? How about email, do you store it on your computer? Do you use your browser to access any useful websites like email or banking sites? If you create a dummy account with highly restricted access (ie, you know what you're doing) you can p

As this is an issue in Adobe Acrobat and Adobe Reader and you don't have either of them installed, you're not affected by this bug. It's very hard for software you don't have installed to cause problems.

There are other bugs in Flash though, they may cause problems, but this isn't one of them.

I have used my ubuntu machine at home to look at several questionable flash based websites in the last few weeks

Well... Umm... You see, this fix has nothing to do with Flash, it's entirely in Adobe Reader...

But... Perhaps you should do a scan just in case. I'm not sure how questionable the sites you visit actually are, but if they are half as questionable as the sites I visit, you probably caught Erectile Dysfunction or something from just looking at it.

For the 90% of us who don't require all the minutiae of functionality and cruft which Adobe Reader offers, there are options. Obviously Mac folk are covered by Apple's built in Preview, but on Windows, Sumatra PDF is amazing and ridiculously small.
It's better than Foxit, in my opinion, for barebones PDF viewing in Windows. Check it out!
http://blog.kowalczyk.info/software/sumatrapdf/index.html [kowalczyk.info]

Thanks for the link. Comparing some documents side by side between Foxit and SumatraPDF, Sumatra rendering has some issues with gamma and images. Text rendering is a little better in Foxit. I can live with the yellow blank starting page, though.

SumatraPDF fills a nice niche. If you hardly ever use Windows, it is sufficient for most purposes (occasional PDF viewing.) I have three windows systems which I use for gaming and stuff like that (e.g. a netbook which runs streets and trips; there's no good Linux navigation software.) They all have SumatraPDF and I've never been unable to read anything I've opened with.

It has long since gotten to the point where PDF is easier to deal with on Linux than Windows. Especially since if you really have to, you ca

I've always had issues with sumatra, it seems to render some datasheets incorrectly, every now and again it'll consume 100MB+ ram, though that goes away when closing reopening pdfs, but most annoying is it'll happly stretch and print landscape documents on portrait (though you told it not too) and create several megabyte files to send to the xerox (which it really doesn't like).

Sadly, my employer has chosen a payroll provider (ADP) that requires Adobe Reader specifically to view paystubs. Foxit won't work, nor will any of the other options (apparantly Acrobat has some stupid web toolbar option that's beyond PDF). Why would anyone do that? Now when I need to see my paystub I have to download 200MB of Adobe cruft, then later uninstall it along with Adobe Download Manager and a bunch of other crap that Adobe stuffs in along the way. Man, I hate Adobe these days.

I'm not seeing how it's better than Foxit. Rendering seems to be slower, for one thing. And the minimalist tool bar is great and everything, but having the zoom control buttons accessible in one click is handy (or to put it another way, hiding them in a menu is annoying). No tabs, either.

I did this. I also uninstalled Java after getting pwned by that crap that breaks out the sandbox and manages to set your proxy to loopback before crapping on about all the "viruses" you are infected with.

Seriously only going to use addins that run in-process now - at least I slightly trust the CreateRestrictedToken API that IE8/Chrome use for tab processes.

In the past, we delivered Adobe Reader updates as full installers or patches (for instance, 9.x = full installer, 9.x.y = patch). The Adobe Reader Download Center at http://get.adobe.com/reader [adobe.com] always offers the most recent full installer of Adobe Reader, which is currently Adobe Reader 9.3. After installation, the Adobe Reader Updater will automatically check and offer the latest patches to keep end-users up-to-date (as of today, the latest patch is Adobe Reader 9.3.3).

What a bunch of incompetent ass clowns. They can't even offer up a downloaded-able 9.3.3 install yet. You have to do it in two stages. If I was running the show, the people that crapped out this dung-pile would be looking for work tomorrow morning.

Ugh. I just updated on my Mac running 10.6.4. It looks like Adobe is still distributing Reader 9.3.0 as the default distribution package. I had to download/install this version and then apply individual patches for 9.3.1, 9.3.2, and finally 9.3.3. Annoying.

This time, whatever these idiots did, the jump from 9.3.0 to 9.3.3 doesn't work at all. It may have something to do with the idiotic "repair adobe pdf viewer" plugin dialogue, which has no title and opens at background, unclickable.

Idiots (hopefully they read) still install Adobe Updater to Utilities but they were lazy to feed it with data so, the dedicated (and working) Updater doesn't work too. Of course, it is still added to launchd per user schedule.

I appreciate they probably had some QA to do in order to release this puppy and it took a while, but I loaded Evince [gnome.org], un-installed flash and called it a day. If you can't see it on youtube using their HTML 5 beta [youtube.com] then that's a real good time to boot up Linux even if it's just in Xen [xen.org] or Oracle/Sun Virtualbox [virtualbox.org] running on Windows. It works just fine for web browsing and less zero day exploits.

It's been nearly a week since I updated Reader! About time for another download install and unnecessary reboot!

Every single time Reader/Acrobat updates it resets its self as the default viewer. That's completely inappropriate behavior, especially for a 'security update'. (And no, I can't uninstall it. Job requires proofing PDF in Reader just like all my poor clients.)

I saw/overheard this in a bar recently (seriously):Girl: So where do you work?Guy: Adobe.Girl: Oh yeah, you're the guys always asking me to

Hah! I had a client tell me about a problem with the font size on their website (it's already dynamic, set at 1em). His proof was that the person that complained worked for Adobe. Yeah, you know that Reader thing that bugs you all the time? That's Adobe.

When using ExitWindowsEx() at the end of your patch install, don't use the damned EWX_FORCE flag. It doesn't even give users enough time to respond to the "Save? Yes/No/Cancel" dialogs popping-up before the applications are kill -9'd and users lose all their unsaved data.

If the Windows developers had a clue, they would make it so that application developers could update their software without requiring a reboot much of the time. Reboot intervals should be measured in years, not hours.

The Windows mandatory file locking scheme is brain damaged. Windows filesystems need to support a mode where a file can be replaced (Unix style) without disturbing people who currently have a file open for read only access (like running executables, for example).